CVE-2022-2309

Name of the Vulnerable Software and Affected Versions lxml versions 2.9.10 through 2.9.14

Description The issue allows attackers to cause a denial of service or application crash when lxml is used together with libxml2. It is triggered by forged input data and a vulnerable code sequence in the application, specifically through the iterwalk function, which is also used by the canonicalize function. This can be exploited if untrusted input is received and processed via the iterwalk function, potentially leading to a crash. The vulnerability is notable when parsing and iterwalk are used together, although this combination is less common due to the availability of more efficient alternatives like iterparse. However, there are legitimate use cases, such as in an XML converter that serializes to C14N, where this vulnerability could be exploited.

Recommendations For versions 2.9.10 through 2.9.14, consider disabling the iterwalk function until a patch is available to prevent potential crashes from forged input data. Restrict access to untrusted input to minimize the risk of exploitation. If possible, replace the iterwalk function with the more efficient iterparse function to reduce the vulnerability's impact.